Global Cybersecurity Index An overview Rosheen Awotar-Mauree - - PowerPoint PPT Presentation

Global Cybersecurity Index An overview

Rosheen Awotar-Mauree Programme Officer ITU Office for Europe

What is GCI …

GCI is a composite index combining 25 indicators into one benchmark measure to monitor and compare the level of ITU Member States

cybersecurity commitment with regard to the five pillars identified by

the High-Leve Experts and endorsed by the GCA.

“GCI is a capacity building tool, to support countries to improve their national cybersecurity posture”

All iterations include primary research in order to provide global coverage of the 194 Member States

Background

• GCIv1 – the 1st iteration of the GCI has started in 2013-2014 period -105 countries responded
• GCIv2 – the 2nd iteration covered 2016-2017 period – 134 countries responded
• GCIv3 – 3rd iteration started in March 2018

GCI aims to

• Help countries identify areas for improvement
• Motivate action to improve relative GCI rankings
• Raise the level of cybersecurity awareness worldwide
• Help to identify and promote best practices
• Foster a global culture of cybersecurity

The GCIv3 includes 25 indicators and 50 questions. The indicators used to calculate the GCI were selected on the basis of the following criteria:

• relevance to the five GCA( Global

Cybersecurity Agenda) pillars and in contributing towards the main GCI

• bjectives

and conceptual framework;

• data availability and quality;
• possibility
• f

cross verification through secondary data.

GCI overall approach

Legal

• Cybercriminal

legislation

• Cybersecurity

regulation

• Cybersecurity

training on regulation and laws Technical

• National CIRT
• Government

CIRT

• Sectoral CIRT
• Standards

implementation framework for

• rganizations
• Standards and

certification for professionals Organizational

• Strategy
• Responsible

agency

• Cybersecurity

metrics Capacity Building

• Standardization

bodies

• Best practice
• R & D

programmes

• Public

awareness campaigns

• Professional

training courses

• National

education programmes and academic curricula

• Incentive

mechanisms

• Home-grown

cybersecurity industry Cooperation

• Bilateral

agreements

• Multilateral

agreements

• International

fora participation

• Public-private

partnerships

• Interagency

partnerships

GCI Indicators

What makes the GCI unique is the balanced combination of:

• The broad geographic range covering all Member States
• The multi-stakeholder approach
• The scoring and ranking mechanisms
• The cyberwellness country profiles

Unique Value

Index from different organizations and companies are researched and compared

Index of Indices – situates GCI unique value

GCI v2 Partners

Score calculation

Panel of Expert: an average for each question weightage

provided by GCI Partners

• 2. Do you have any technical measures?

19.12 2.1. Is there a CIRT, CSIRT or CERT with national responsibility? 4.65 2.1.1.Does it have a government mandate? 1.33 2.1.2.Does the CIRT, CSIRT or CERT conduct recurring cybersecurity exercise? 1.23 2.1.3.Is the CIRT, CSIRT or CERT affiliated with FIRST? 1.04 2.1.4.Is the CIRT, CSIRT or CERT affiliated with any other CERT communities? (regional CERT) 1.06 2.2. Is there a Government CERT? 3.03 2.3. Are there any sectoral CERTs? 2.71

• 1. Is there any Cyber related legislation?

20.94

• 2. Do you have any technical measures?

19.12

• 3. Do you have any organizational measures?

19.67

• 4. Do you have any capacity building activities?

18.93

• 5. Do you have any cooperative measures?

21.34

Total of all weightages = 100

Presentation of analysed information

Global Report Regional Report Cyberwellness Profiles Factual information on cybersecurity achievements on each country

Focus on Europe and CIS Results

GCI 2017 Heat Map

Commitment levels High Medium Low

GCI 2017 : Global Top Ten

Country GCI Score Legal Technical Organizational Capacity Building Cooperation Singapore 0.92 0.95 0.96 0.88 0.97 0.87 United States 0.91 1 0.96 0.92 1 0.73 Malaysia 0.89 0.87 0.96 0.77 1 0.87 Oman 0.87 0.98 0.82 0.85 0.95 0.75 Estonia 0.84 0.99 0.82 0.85 0.94 0.64 Mauritius 0.82 0.85 0.96 0.74 0.91 0.70 Australia 0.82 0.94 0.96 0.86 0.94 0.44 Georgia 0.81 0.91 0.77 0.82 0.90 0.70 France 0.81 0.94 0.96 0.60 1 0.61 Canada 0.81 0.94 0.93 0.71 0.82 0.70

Maximum score is 1

GCI 2017: Heat map – regional perspective

0.210 0.296 0.334 0.370 0.430 0.530 Regional Score on a maximum on 1

GCI 2017 for ITU Europe & CIS region

43 Countries EUROPE : Albania, Andorra, Austria, Belgium, Bosnia and Herzegovina, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Israel, Italy, Latvia, Liechtenstein, Lithuania,Luxembourg, Malta, The Former Yugoslav Republic of Macedonia, Monaco, Montenegro, Netherlands, Norway, Poland, Portugal, Romania, San Marino, Serbia, Slovak Republic, Slovenia, Spain, Sweden, Switzerland, Turkey, Vatican,United Kingdom 11 Countries CIS : Armenia, Azerbaijan, Belarus, Georgia, Kazakhstan, Moldova, Russian Federation, Tajikistan, Turkmenistan, Ukraine, Uzbekistan

GCI TIERS out of 54 countries

• Leading stage refers to the 22 countries (i.e., GCI score in the 60th percentile and higher) that

demonstrate high commitment.

• Maturing stage refers to the 22 countries (i.e., GCI score between the 30th and 59th

percentile) that have developed complex commitments, and engage in cybersecurity programmes and initiatives.

• Initiating stage refers to the 10 countries (i.e., GCI score less than the 30th percentile) that

have started to make commitments in cybersecurity.

Some responses for Europe & CIS regions

Out of 54 ✓ 24 countries have Cybercriminal legislation ✓ 32 countries have Cybersecurity legislation ✓ 20 countries have Cybersecurity training on regulation and laws ✓ 35 countries have National CIRTs ✓ 43 countries have Government CIRTs ✓ 34 countries have sectoral CIRTs ✓ 38 countries have an entity responsible for Child Online Protection ✓ 7 countries use Cybersecurity metrics at national level ✓ 12 countries have standardization bodies handling Cybersecurity ✓ 23 countries have good practices in Cybersecurity ✓ 17 countries have R&D programmes in Cybersecurity

Netherlands uses metrics annually in order to measure cybersecurity development at a national level, summarized in the Cyber Security Assessment Netherlands report. The National Cyber Security Centre (NCSC) compiles disclosure reports, security advisories and incidents using a registration system. The metrics allow trends to be observed and acted on.

Some Noteworthy practices

UK and China agreed to establish a high-level security dialogue to strengthen exchanges and cooperation on security issues such as non-proliferation, organized crime, cyber crime and illegal

• immigration. The UK and China agree not to conduct or support cyber-enabled theft of intellectual

property, trade secrets or confidential business information with the intent of providing competitive advantage

• Cyber Security information Sharing Partnership (CiSP) - https://www.cert.gov.uk/cisp/

United Kingdom issued in 2016 its second five years National Cyber Security Strategy. The strategy, issued by the Cabinet Office, aims to make the country one of the safest places in the world to carry

• ut online business and doubles investment in cybersecurity compared to the first plan.

Online Survey is Ready – Action is needed by GCI National Focal points

GCIv3 50

questions

How it functions. Main steps.

• Preparation phase
• Elaboration of the survey in collaboration with experts an partners
• Development of online survey system
• Preparation of supporting documentation (guides, conceptual framework, letters etc.)
• Announcement on the ITU website
• Start phase
• Informing/invitation Member States via official letter from the BDT Director to Administrations (Responsible Ministry, organization, agency…)
• Collection of contact details of Focal Point(s) assigned by the Administration
• Contacting FPs and providing access to the online survey together with all necessary documents and instructions
• Technical Support
• Data collection phase
• Filling the questionnaire (FPs provide data, links, supporting documents etc.)
• Collection of data from open sources for non-respondents (ITU helps Member States to appear in the Report)
• Verification Phase
• ITU specialists verify and all provided data and contact FPs for more details if needed.
• ITU shares the verified data with FPs
• Analysis Phase
• Analysis of all collected data (for respondents and non-respondents).
• Ranking. Preparation of comparison charts, maps, tables and other statistical elements.
• Illustrative practices extraction.
• Report writing and publication Phase
• Elaboration of the GCI Report
• Publication on the ITU website and printing
• Official launch and informing Member States
• Follow-up

Preparation phase Start phase Data collection phase Verification Phase Analysis Phase Report writing and publication Phase

• Identify a National GCI Focal point and inform ITU
• Make all relevant data available to the National GCI Focal point
• Seek clarifications by connecting the ITU GCI team

cybersecurity@itu.int

How to improve GCI score and position

JOIN US

Thank you

www.itu.int EURregion@itu.int @ITU_EUR